Can We Protect Our Privacy Through Legal Solutions? Or Is Technology Now Beyond Our Control?
By BOB BARR
|Friday, Apr. 15, 2005|
Recently, Atlanta-based ChoicePoint - one of the world's largest data warehouses - saw its network illegally accessed by a ring of Nigerian scam artists. When this occurred, many Americans were forced to confront an ugly truth that privacy advocates have understood for a long time: Personal privacy, as we have known, understood, and applied it for years, is on life support.
Can we change the law to better protect privacy? Or will rapidly changing technology defy our attempts to do so?
The Three Key Evolutions in Technology That Threaten Privacy
Three technological shifts account for the today's new paradigm on the privacy front: size, speed, and threat.
First, the amount of space it takes to store information has dropped at a rapid rate. Thirty-five years ago, when I was an undergrad at Southern Cal, watching scandals such as the FBI-orchestrated "COINTELPRO" unfold, credit information on a hundred thousand consumers would have filled a warehouse of paper files.
Today, increase that amount of information a hundredfold, and it can still fit on a jump drive any high school student can buy at Wal-Mart and carry on their key-chain.
Second, information that used to change hands at a snail's pace now moves at light speed. In the world of just a generation past, let's say you wanted to locate and send a file in our hypothetical paper warehouse to a different city. To begin, you had to pay someone to search rows of filing cabinets, find the file, copy the file, and put it in the mail. Then, you had to wait while the postal service delivered it. Before it could then be accessed, that labor-intensive filing process would have to be replicated in reverse in its new data home. Then, any would-be reader would have to once again locate the file.
Now, a generation later, all you have to do is press a button on a personal computer. That's it.
The combination of shrinking size of storage space, and immensely increased speed of sending and retrieval, now means that literally anyone with a computer and a phone line can become a data warehouse, limited in size only by the number of bytes their hard drive will hold.
Making matters worse, from a privacy standpoint, your information is no longer contained by national borders. The dotcom craze left in its wake a dense web of fiber optic lines circling the globe hundreds of times over. In today's world, it is just as easy to review your personal information in Lagos as it is in Atlanta, Washington, DC or Kuala Lumpur, Malaysia. That's efficient for business, but a disaster for privacy protection - for others, too, can take advantage of the ease of access with a little hacking, and may do so far outside the reach of U.S. law.
Risk-Management Increasing Demands Massive Private Data
Even these three factors' convergence might not be so threatening to privacy, except that there is now so much private data in the mix - from medical to financial, to identifying, to, potentially, genetic information.
In America, we have led the development of a new kind of society, in which no cultural goal appears to matter more than managing risk. A vast industry of actuaries, risk management specialists, intelligence analysts, public health officials, and statisticians calculates the precise chances of any imaginable dangerous or undesirable event, and makes specific recommendations on how to reduce the numeric odds of such occurrences.
The key ingredient in our ability to make these kinds of judgments is data, the currency of power in the Twenty-First Century. As we seek to reduce threats to our lives and property, the common denominator is our ability to know as much as possible about as many things as possible. Furthermore, we must be able to sift and access that information rapidly. And that inevitably means privacy violations are risked.
An Example: How Risk Management Can Raise Privacy Issues
Let's assume, for example, that I want to know whether there are any felons living on a particular street before buying a home there. Providing this information may seem at first blush to harm no one, and potentially allow me to mitigate the risks facing my family. But on closer scrutiny, problems appear.
In order to answer this question, for example, I would need to first verify the identity of everyone - felon or not - on the street. Otherwise, there's no way I could compare the list of actual residents to a list of felons, and pinpoint matches.
There is one exception to this point: For Megan's List offenses, I might be able to simply search an online database by area code. But not all offenses are Megan's List offenses. So if I seek to figure out if my neighbors have committed other crimes, privacy concerns clearly manifest themselves.
Currently, the only way to attempt identity verification is through a combination of data such as birthday, driver's license number, and Social Security number. So, allowing me to learn about felons on my street would require a database containing detailed private information about everyone on the street.
If a company built such a database and allowed me to access it, what's to prevent a felon pretending to be me from accessing it, and using the same information to locate potential victims on the street? The felon might, for example, target elderly persons whose driver's licenses have been revoked due to poor eyesight - very vulnerable potential victims.
Our Sacrifice of Privacy for Security Will Have Serious Long-Term Costs
A handful of voices - mine included - have long insisted that sacrificing privacy for security represents a Faustian bargain that will have decidedly undesirable repercussions over the long term. Unfortunately, the weight of history strongly confirms what thinkers from Machiavelli, to Benjamin Franklin have told us for centuries: faced with a choice between liberty and security, the majority will choose security.
Soon someone, somewhere, is going to take advantage of technological advances in data storage and transmission in order to build massive databases of personal information and sell their contents. Indeed, many private companies already do sell customer information to a greater or lesser extent. Others promise they never will, but once one company puts the information out there, it may be out there for good.
Within this reality, the public policy challenge is threefold. We must weed out truly bad actors who abuse information, or punish them if they strike. We must require good actors to adopt meaningful privacy protection policies. And we must enact reasonable federal controls that make sense for companies, the government, and individual citizens.
The risk we face if we target all data providers with knee-jerk, oppressive legislation or regulation, is driving them beyond the reach of any kind of control. In other words, making the United States singularly inhospitable territory for data services will encourage new entrepreneurs to simply set up shop in places where they are subject to no restrictions. And, if you think having your personal information on file in a data warehouse in Atlanta is bad, imagine how much worse it would be to have it in India, Bangladesh, China, or anywhere else the prevalence of cheap labor and minimal government control create a hospitable environment. The current lack of meaningful international protocols or treaties on data aggregation clearly and understandably maximizes this risk.
The Best Solution: Accept, But Control, Well-Behaved Data Aggregators
Our message to data aggregators should be simple: if you demonstrate a commitment to fixing mistakes, safeguarding personal data, and playing by the rules, we want to have you as part of the legitimate business community in America. If not, then we will do everything possible to curtail your operations, including working to stop other nations from offering you safe haven. This carrot-and-stick approach is by far our best option.
Additionally, we should remember that technology has no ideology or policy preference. The same technologies responsible for the death of privacy also present us with an opportunity to resurrect it. For example, gaps in computer security spawned the development of powerful encryption technologies that dramatically increased personal privacy.
Entrepreneurs should recognize there is a market for privacy, and continue working to serve that market with products that allow us to apply technology to protect our information from prying eyes. If this occurs, we may be able to safeguard whatever privacy we still retain despite existing commercial databases.
Privacy is under an assault stronger than any it has ever faced before. Yet we can take comfort in the knowledge that we are not powerless to fight back.
There are real, pragmatic solutions to this challenge, and we should implement them as quickly as possible. More important, perhaps, we should demand that the Congress forego its standard, knee-jerk, headline-grabbing mode, and engage in a deliberative, long-term, substantive process to address the clear and present danger posed by recent instances of data theft.